http://bugs.winehq.org/show_bug.cgi?id=8425

------- Additional Comments From a_villacis@palosanto.com 2007-18-05 10:47 ------- Test last night showed that installer still crashes if query for conversion length is spiked to return one more WCHAR, so that the next conversion succeeds. No change in behavior. So the character conversion is *not* the cause of the crash.

I tried to run the program with the debugger. The crash appears to be caused by a jump/call/return into an invalid address, because EIP shows the same address as the one causing the SIGSEGV. So, the stack is being corrupted, or possibly a table of addresses (vtable ?) has been corrupted or has an uninitialized address.